Community Policies

Mondoo's cnspec GitHub repository is a free, open source collection of over 40 security, best practices, and compliance policy bundles created by Mondoo and the Mondoo community. They cover a wide range of platforms and technologies:

• Operating systems: Linux, macOS, and Windows (including specialized variants for workstations and operational best practices)
• Cloud providers: AWS, Azure, GCP, and Oracle Cloud
• Containers and infrastructure as code: Kubernetes, Dockerfiles, and Terraform
• SaaS platforms: GitHub, GitLab, Google Workspace, Microsoft 365, Okta, Slack, and Snowflake
• Network and web security: DNS, TLS/HTTP, Cloudflare, Tailscale, Arista EOS, and Palo Alto Networks
• Other technologies: Chef, EDR (endpoint detection and response), email security, and industrial controllers (Phoenix PLCnext)

cnspec ships with default policies that automatically match the platform you scan, so there's no need to download those separately. Community policies are useful when you want to apply additional checks beyond the defaults.

Use a community policy

To scan with a community policy bundle, download it and pass it to cnspec:

# Download a policy bundle from the cnspec repo
curl -sLO https://raw.githubusercontent.com/mondoohq/cnspec/main/content/mondoo-github-security.mql.yaml

# Scan using the downloaded policy bundle
cnspec scan github org YOUR_ORG --policy-bundle mondoo-github-security.mql.yaml

You can also run a policy bundle against a local system:

cnspec scan local --policy-bundle mondoo-linux-security.mql.yaml

When you use --policy-bundle, cnspec applies only the checks in that bundle instead of the default policies.

To learn more about working with policies, read About Policies and Manage Policies.